Overview

overview

10

Static

static

526330a580...1d.exe

windows7-x64

9

526330a580...1d.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d

  • Size

    6.2MB

  • Sample

    221130-rjwy3sbb6w

  • MD5

    b66c3e5a02f4287c96e433fe130a2cc6

  • SHA1

    77955f00cee70fbb6990e4ac07aea4d1a9a8e167

  • SHA256

    526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d

  • SHA512

    89335195b086d7d0c1ab137716535b77f218e4fd8f906ed5c1a0a01e7d62c87d7c17aa23805413d9f42babfa0371f04fa60a5f6a78e9b7bccab4e69bdd08e9ca

  • SSDEEP

    98304:cDiT1yf9FYIObKiHC2e9qecljV6XRbo7ktbJnfCBlSx2k8VrhMPS5zIP5/35:cwS5ODzD4XRbo7OblaBDrmq5EP5/35

Score
10/10
bitratevasiontrojan

Malware Config

Extracted

Family

bitrat

Version

1.34

C2

logonapplication.ddns.net:4010

Attributes
  • communication_password

    c4ca4238a0b923820dcc509a6f75849b

  • tor_process

    tor

Targets

    • Target

      526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d

    • Size

      6.2MB

    • MD5

      b66c3e5a02f4287c96e433fe130a2cc6

    • SHA1

      77955f00cee70fbb6990e4ac07aea4d1a9a8e167

    • SHA256

      526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d

    • SHA512

      89335195b086d7d0c1ab137716535b77f218e4fd8f906ed5c1a0a01e7d62c87d7c17aa23805413d9f42babfa0371f04fa60a5f6a78e9b7bccab4e69bdd08e9ca

    • SSDEEP

      98304:cDiT1yf9FYIObKiHC2e9qecljV6XRbo7ktbJnfCBlSx2k8VrhMPS5zIP5/35:cwS5ODzD4XRbo7OblaBDrmq5EP5/35

    Score
    10/10
    evasionbitrattrojan

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks